ci: test only on Python 3.13 and document nmap scanner

- Simplify CI by removing the multi-version Python matrix and
  standardizing all jobs on Python 3.13 to reduce maintenance
  overhead and focus on the current stable runtime.
- Drop the experimental Python 3.14 job and associated
  continue-on-error handling since it is no longer needed.
- Remove the "dangerous API" grep scan step from the pipeline to
  avoid noisy, brittle checks in CI.
- Add .env to .gitignore so local environment files are not tracked
  in version control.
- Expand documentation for the optional nmap-based scanner with
  security warnings, legal considerations, and guidance for
  responsible use by security researchers.
- Add tests for the nmap scanner and metasploit matcher using
  mocked runners, improving coverage and validating behavior
  without invoking real network scans.

Author: Magic-Man-us

.github/workflows/ci.yml

@@ -26,15 +26,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - python-version: "3.11"
-            experimental: false
-          - python-version: "3.12"
-            experimental: false
           - python-version: "3.13"
             experimental: false
-          - python-version: "3.14"   # treat 3.14 as experimental so CI doesn't block if it breaks
-            experimental: true
-    continue-on-error: ${{ matrix.experimental }}
 
     steps:
       - name: Checkout
@@ -61,16 +54,6 @@ jobs:
       - name: Tests (pytest)
         run: uv run pytest --cov --cov-report=xml --cov-report=html
 
-      - name: Dangerous API scan (grep)
-        continue-on-error: true
-        shell: bash
-        run: |
-          set -euo pipefail
-          if grep -rn -E '\beval\(|\bexec\(|pickle\.loads|yaml\.load\(|subprocess\.(Popen|call)\(' src/ tests/ 2>/dev/null | grep -v 'yaml\.load_safe' || true; then
-            echo "⚠️ Potentially dangerous API usage detected. Please review." >&2
-            exit 2
-          fi
-
       - name: Upload coverage.xml
         uses: actions/upload-artifact@v5
         with:
@@ -103,7 +86,7 @@ jobs:
           enable-cache: true
 
       - name: Set up Python
-        run: uv python install 3.11
+        run: uv python install 3.13
 
       - name: Sync dependencies
         run: uv sync --all-extras --dev
@@ -141,7 +124,7 @@ jobs:
           enable-cache: true
 
       - name: Set up Python
-        run: uv python install 3.11
+        run: uv python install 3.13
 
       - name: Sync dependencies (includes sphinx)
         run: uv sync --all-extras --dev

.gitignore

@@ -69,3 +69,5 @@ scan_results/
 
 # Sphinx documentation build output (generated files only)
 docs/_build/
+
+.env

Makefile

@@ -29,7 +29,7 @@ lint:
 	uv run ruff check .
 
 type:
-	uv run mypy src
+	uv run mypy src --ignore-missing-imports
 
 format:
 	uv run ruff format .